Make 'credentials' configurable for GQL requests #470
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
|
@timsuchanek @HuVik Is the |
|
It was broken before, i think here 300f250 |
|
Did you have little time to check this out, @timsuchanek? |
|
It was already broken, but I'm fixing it right now. Thanks for the PR! |
|
Thank you for merging it, Tim! |
Merged
1 task
|
It appears that the parameters passed via |
7 tasks
|
I think this should be set to |
|
@vincenzo you legend this is dope. |
cgxxv
pushed a commit
to cgxxv/graphql-playground
that referenced
this pull request
Mar 25, 2022
Make 'credentials' configurable for GQL requests
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #364
The cause of the issue
The issue was due to this. Tim must've commented that out because having
credentials: "include"by default is not best practice, as it breaks requests to any server that does not have the correctcorsoptions set up. Specifically, a server must know the domains of all the requesters in advance whencredentials: "include".The proposed change
The change proposed here is very simple:
request.credentials: "omit"to the default settingsfetch()call used to "post" GraphQL queries/mutations to the serverBy having
"omit"as a default setting, I preserve the current behaviour: no request will be broken due to lack of the correctcorsoptions server-side.Additionally,
request.credentialscan take all the values thatcredentialsforfetch()takes:"omit""include""same-origin"Of course, one must know what they are doing, as the server must have
corsenabled and correctly configured. Thesame-originvalue comes in handy for those project like the one I am working on right now, where we use an express middleware, so client and server are on the same domain. Also, our official "client", when ready, will also be living on the same domain. Theincludevalue can be set for all other scenarios where the client lives on a different domain than the server and one can tell the server what "client domains" to allow.Tested
I have tested this locally pointing the react app to my server (correctly configured for each of the
credentialsvalues) and all seems to be working just fine.Potential improvements
It might be that
Settingsis not exactly the best place to put this setting in, but I do believe that it is a good enough choice for the time being.Expose the settings to the middlewares so that they can instantiate the Playground with the option for "credentials" that it is best for their project.